|Publication number||US7945563 B2|
|Application number||US 11/424,799|
|Publication date||May 17, 2011|
|Filing date||Jun 16, 2006|
|Priority date||Jun 16, 2006|
|Also published as||CN101473322A, CN101473322B, EP1929416A1, EP1929416A4, US20070294203, WO2007149650A1|
|Publication number||11424799, 424799, US 7945563 B2, US 7945563B2, US-B2-7945563, US7945563 B2, US7945563B2|
|Inventors||Edward F. Seitz|
|Original Assignee||Yahoo! Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (13), Non-Patent Citations (8), Referenced by (7), Classifications (9), Legal Events (5)|
|External Links: USPTO, USPTO Assignment, Espacenet|
A portion of the disclosure of this patent document contains material which is subject to (copyright or mask work) protection. The (copyright or mask work) owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all (copyright or mask work) rights whatsoever.
Because the embedded code is executed on the viewing computer, these executables are often used by miscreants to gain access to other's computer for nefarious purposes. For example, an ActiveX control may be used to install a dialer, spyware, or a Trojan horse on a computer without the computer user's knowledge when the computer views a web page. Without inspecting the source code of a web page (e.g., the HTML code that makes up the page), a viewer normally will know what embedded code will be executed upon viewing the web page. In addition, simply by looking at the source code, a user often can not determine if an item of embedded code is malicious or not.
Against this backdrop the present invention has been developed. The present invention relates to systems and methods for automatically delivering information to a user concerning the embedded code contained in a web page before the user downloads the web page for viewing. In an embodiment, a search engine, in addition to performing a standard subject matter word search requested by a user, searches a previously generated index of web pages or each web page to be listed to the user as part of the search results for information indicating that there is embedded code in the web page. If it is determined that a web page contains embedded code, the search results graphical user interface is provided with additional information indicating to the user which web page in the results contains embedded code. The user may also be alerted if a web page contains embedded code known to be malicious and the order of the search results may be modified based on the embedded code information of the web pages in the results.
In one aspect, the present invention may be considered a method for searching content items such as web pages on a network. The method includes receiving a search request and identifying one or more web pages matching criteria contained in the search request. Search results are then generated and transmitted in response to the search request. The search results contain information identifying the one or more web pages matching the criteria contained in the search request and, for each of the one or more web pages containing embedded code, information derived from the embedded code.
In another aspect, the present invention may be considered a system for searching a network for digital information including a search engine adapted to search for web pages matching user-provided search criteria and to generate a listing of web pages matching the user-provided search criteria. The search engine is further adapted to search each web page matching the user-provided search criteria for text indicating that the web page contains embedded code. In addition, the search engine is further adapted to indicate on the listing that a web page contains embedded code. The system may also include a database in communication with the search engine that identifies at least one embedded code as malicious.
In yet another aspect, the present invention may be considered a graphical user interface generated by a search engine and displayed to a search requester. The graphical user interface includes a listing of items matching search criteria provided by a search requestor and, associated with each item, an embedded code information area containing information describing embedded code contained in the associated item.
These and various other features as well as advantages which characterize the present invention will be apparent from a reading of the following detailed description and a review of the associated drawings. Additional features of the invention are set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The benefits and features of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed.
The following drawing figures, which form a part of this application, are illustrative of embodiments of the present invention and are not meant to limit the scope of the invention in any manner, which scope shall be based on the claims appended hereto.
In addition to the statements typically found in the body described above, another way of embedding code is to use a “style sheet” such as those designated by the STYLE element. While style sheets normally control the way text and graphics are presented on a page, embedded code may be contained in or pointed to by the style sheet.
Depending on the programming language used, there are many different ways to embed code into a web page. In addition to those described above, languages used for web pages may have other capabilities or means for embedding code. Embedding code in a web page is well known in the art.
In addition to the location, embedded code identifier elements often also provide some identifier of the embedded code. For example, in the case of ActiveX controls, the identifier may be a class ID (as shown in the second embedded code identifier 108) associated with the ActiveX control or a “friendly name” of the ActiveX control. The type of identifier provided may differ depending on the embedded code identifier element used and may differ based on preferences of the web page designer. It should also be noted that miscreants attempting to compromise a computer's security using embedded code often will do their best to obfuscate the identification of the embedded code by supplying misinformation in the identifier if possible.
Regardless, the existence of embedded code can be determined by a simple inspection of the source code of a web page. In addition, the type and nature and often an identifier of that embedded code may also be determined.
In the embodiment shown, the method 200 starts with a user initiating a search by accessing a search engine and entering a search request, such as for example a search request for pages associated with the word “baseball” in a receive search request operation 202.
The search engine may then perform a search of the network for all web pages matching the search criteria, i.e., baseball, in a text search operation 204. In an embodiment, this text search 204 typically includes searching a previously generated index of web pages on the network. Alternatively, it could involve searching the network itself. Often, such searches involve and inspection of the text in the web pages to return a set of results.
In the embodiment shown, each of the web pages that are included in the set of results are also searched for embedded code identifier elements in an embedded code search operation 206. In an embodiment the text search operation 204 and the embedded code search operation 206 may be performed serially. Alternatively, the text search operation 204 and the embedded code search operation 206 may be performed as part of a single, integrated search operation.
For the purposes of this specification, a web page that when viewed could cause the download and/or execution of software by the viewing computer is referred to as a web page that “contains embedded code”. The reader will understand that such embedded software may only be referred to by the web page source code and does not actually exist within the web page source code.
The search operation 206 may further include virtually rendering the web page in addition to simply scanning the web page for embedded code identifiers. By virtually rendering the web page, some objects that are surreptitiously embedded through a dummy file that under normal circumstances would not be considered a potential source of embedded code, such as an image file or audio file, may be detected.
If the embedded code search operation 206 determines that a web page contains embedded code, the information provided in the web page about that embedded code is inspected. For example, the EMBED element in HTML includes a CLASS attribute that may include information about the embedded code. Other means of embedding code in web pages similarly provide at least some information, be it a name, an identifier, a location (such as a URL address), a publisher, etc. Regardless, this information about the embedded code is inspected and may be retrieved in an identify embedded code operation 208.
The identify embedded code operation 208 may also include categorizing the information in order to determine the proper order for listing the web pages in the search results by the embedded code detected on each page.
In the embodiment shown, the embedded code search operation 206 and the identify embedded code operation 208 are performed on the web pages listed in the results of the text search operation 204. However, in another embodiment, the embedded code search operation 206 may also or alternatively include searching the previously generated index for embedded code information, such as a flag, identifier, or embedded code information of some kind, that was generated at the time the index or index entries were created by the search engine.
For example, many modern search engines use a web crawler to continuously crawl the Internet and create an index or other database of web pages. In an embodiment, as each web page is encountered and indexed, the embedded code search operation 206 and the identify embedded code operation 208 are performed and information regarding the embedded software added to the search index to facilitate future searches. Thus, when the search request is received, all that is necessary is to perform the requested search operation 204 of the index and display the results, the embedded code information for each page being previously identified and categorized and thus easily displayed to the user as part of the results display.
After the identify embedded code operation 208, the information about each embedded code in the web page may be compared to a database of known embedded software in a comparison operation 210. The comparison operation 210 may include matching the information known about the embedded code with known embedded software to determine if the embedded software is legitimate or nefarious. The database has been previously developed and may include all embedded code identified by the search engine in previous searches. As embedded elements are determined to be nefarious, the database may be updated to reflect this new information. In addition, embedded code may be known to be legitimate based on a registration of that embedded code by the code's creator or the web page's creator. This allows creators of legitimate embedded code to make certain that users do not mistake their code for malicious code.
The comparison operation 210 identifies whether the embedded code is known to the database and whether the code is known to be legitimate or malicious based on the information in the database.
Next, the search results are displayed to the user requesting the search in a display results operation 212. The display results operation 212 may include generating a graphical user interface (GUI) containing a listing of web pages or other search results based on the requested search and transmitting the GUI to the user in response to the user's search request. The GUI is then displayed on the user's computing device. For example, the GUI may be dynamic .HTML page generated by the search system and transmitted to a browser on the user's computing device.
In an embodiment, the web pages matching the search criteria provided by the user are displayed, such in a list of links to each page (see
Based on the information displayed, the user that requested the search now has information concerning the embedded code contained in each web page in the search results listing. This allows the user to make an informed decision about whether to access each web page and what potential embedded code may be executed as a result of such access.
In addition to the utility in identifying known malicious code to the user, the existence of embedded code also provides an indication of how long it will take to display a given web page as the installation and execution of most embedded code is a time consuming process.
Alternative embodiments of the method 200 are also possible. For example, the order of the operations may be changed while still providing the same information to a user with the search results. In an embodiment, the search text operation 204 and the search for embedded code operation 206 may be performed periodically (or continuously) as part of a general search of content on the network rather than in response to receipt of a specific search request. The information obtained may then be stored, such as in an index, in a database and that database is then consulted upon the occurrence of a receive search request operation 202.
In yet another embodiment, the search for embedded code operation 206 may be performed periodically (or continuously) as part of a general search of content on the network independently of any text search. The URL or other identifier of any web pages or content items that are found to contain malicious or embedded code may then be added to a database that is consulted whenever search results are being generated. Other information about the embedded code may also be added to the database such as an identifier of the embedded code, the type of embedded code, whether the embedded code is known to be malicious or not and the URL of the embedded code. Then, as part of performing a search and generating a set of search results to be displayed to a user, the items listed in the search results are cross indexed with the database in a comparison operation to determine if any of the items in the search results have been previously determined to contain embedded code or malicious software. This embodiment may be particularly useful if information concerning embedded code or malicious web pages are provided by sources other than the search engine, e.g., members of the community or a security organization for instance.
In the embodiment shown, the embedded code information about each web page in the listing 304 is displayed in an embedded code information area 306. Each web page entry 308 in the listing 304 includes an embedded code information area 306 associated with the web page. The embedded code information area 306 may include icons (as shown), textual or other indicators that convey to the user information concerning the embedded code on the associated web page.
The type and amount of embedded code information displayed are limited only by the search engine designer's preferences. More or less information may be displayed based on the search engine's ability to retrieve such information and space available or selected for such display. For example, in the embodiment shown, icons 310, 312, 314, 316 are used that indicate in a very little space the existence and the type of embedded code in an associated web page. Each icon 310, 312, 314, 316 provides different information to the user. In the embodiment shown, a first icon 310 indicates to the user than an ActiveX control is embedded in the associated web page; a second icon 312 indicates that a Shockwave item is embedded in the web page; a third icon 314 indicates that a Flash item is embedded in the web page; and a fourth icon 316 indicating unsafe embedded code (e.g., the embedded code was identified in a comparison operation 210 as being a known malicious code).
Such icons 310, 312, 314, 316 may indicate to the user what embedded code will automatically be executed by the user's computer if the page is accessed. Alternatively, such icons 310, 312, 314 may indicate to the user what embedded code could potentially be executed by the user's computer if the web page is accessed, e.g., assuming that every part or functionality of the web page is accessed thereby triggering execution of embedded code that may not be automatically executed upon display of the web page.
The embodiment shown in
In addition, as discussed above, the graphical user interface 300 may be modified to display more or less information as desired. For example, after each icon 310, 312, 314, 316 a number may be provided to indicate the number of different items of embedded code contained in the web page. This information may also be helpful to some users in determining relatively how long it may take to download a particular web page in the listing 304.
An embodiment of the present invention further allows users to select preferences on how search results are presented to the user based on the embedded code in the web page entries 308. In the embodiment of the graphical user interface 300 shown, a preferences selection area 320 is provided through which the user may select, via checkbox interface elements, what web pages are to be displayed. For example, a user may indicate through the selection of preferences that all web pages with embedded code of a specific type be removed from the listing 304 of moved to the end of the listing.
As another example, a user may indicate through the selection of preferences that all web pages with embedded code known to be malicious are not listed in the results of a search.
In addition, preferences may be provided that sort the entries 308 in the listing 304 based on the type and/or amount of embedded code in each web page of the search results. Such sorting may be controlled through a user's preference selections so that a user may modify how results are presented based on embedded code. These preferences may be controlled via the preferences selection area 320 or alternatively via a preference menu (not shown) accessible through a drop down box or some other display means known in the art.
The architecture 400 includes a search server 412 that includes a search engine 406. The clients 402 may interact with the search engine 406 through a web page that is the GUI of the search engine 406. In the embodiment shown, the search engine 406, in response to search requests made by the clients 402, performs a search of the web pages on the web page servers 408 accessible via the network 404 for web pages matching the search criteria supplied by the requestor.
In addition to generating listings or other representations of search results and transmitting the same to the requesting client 402, the search engine 406 also searches each web page in the listing for embedded code, such as via the methods described above. Information about the embedded code is then included with the search results transmitted to the requester.
The search engine 406 is further adapted to interact with a database 410 containing a list of embedded code that is known to be malicious. The database 410 may also include a list of code that is known to be safe or that has been registered with the search engine 406 as safe. The database may be maintained on the search server 412 as shown or, alternatively, may be maintained at a remote location, such as by a security authority (not shown) that continuously updates the database 410 to include newly identified embedded code.
In an embodiment, the database 410 may also include a list of known web pages or content that contains embedded code. This list may be accessed, as described above, as part of the process of generating the search results for transmission to the requester. If an item, such as a web page, in the search results is identified in the database, then the item may be flagged with the appropriate information or icon. The database 410 may then include a list of all known web pages or items that have embedded code and may also include information for each entry in the list identifying the type(s) of embedded code and whether the web page is known to contain malicious software. As the search engine 406 and members of the community identify new web pages or provide new or updated information, the database 410 may be updated or revised to reflect the most recent information.
The database 410 may be stored on a mass storage device (not shown) that is connected to the search server 412 or alternatively may be considered part of the server 412. The mass storage device and its associated computer-readable media, provide non-volatile storage. Although the description of computer-readable media contained herein refers to a mass storage device, such as a hard disk or CD-ROM drive, it should be appreciated by those skilled in the art that computer-readable media can be any available media that can be accessed by the search server 412.
By way of example, and not limitation, computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.
It will be clear that the present invention is well adapted to attain the ends and advantages mentioned as well as those inherent therein. Those skilled in the art will recognize that the methods and systems of the present invention within this specification may be implemented in many manners and as such is not to be limited by the foregoing exemplified embodiments and examples. In other words, functional elements being performed by a single or multiple components, in various combinations of hardware and software, and individual functions can be distributed among software applications at either the client or server level. In this regard, any number of the features of the different embodiments described herein may be combined into one single embodiment and alternate embodiments having fewer than or more than all of the features herein described are possible.
While various embodiments have been described for purposes of this disclosure, various changes and modifications may be made which are well within the scope of the present invention. For example, while embodiments have been discussed in terms of .HTML web pages, one skilled in the art will realize that any type of digital content may be searched using this technique, including web pages written in another language such as XML, music, artwork or movies.
Furthermore, regardless of how searches are performed and items listed in search results are determined to contain embedded code or potentially malicious code, embodiments of the present invention deliver search results to the user that identify the presence of embedded code or possibly malicious code in items listed in the search results. How such a presence is indicated to the user may differ depending on the way the search results are presented to the user.
Numerous other changes may be made which will readily suggest themselves to those skilled in the art and which are encompassed in the spirit of the invention disclosed and as defined in the appended claims.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US6356899 *||Mar 3, 1999||Mar 12, 2002||International Business Machines Corporation||Method for interactively creating an information database including preferred information elements, such as preferred-authority, world wide web pages|
|US6721721||Jun 15, 2000||Apr 13, 2004||International Business Machines Corporation||Virus checking and reporting for computer database search results|
|US7031968 *||Jan 5, 2001||Apr 18, 2006||Prev-U Israel Ltd.||Method and apparatus for providing web site preview information|
|US7043757||May 22, 2001||May 9, 2006||Mci, Llc||System and method for malicious code detection|
|US7272783 *||Apr 19, 2001||Sep 18, 2007||International Business Machines Corporation||Method and system in an electronic spreadsheet for managing and handling user-defined options|
|US20020138621||Feb 8, 2001||Sep 26, 2002||Rutherford Jan R.||System and method for displaying remotely stored content on a web page|
|US20030097591 *||Nov 20, 2001||May 22, 2003||Khai Pham||System and method for protecting computer users from web sites hosting computer viruses|
|US20030187950 *||Mar 29, 2002||Oct 2, 2003||Sony Corporation & Sony Electronics Inc.||Method and system for utilizing embedded MPEG-7 content descriptions|
|US20060041927 *||May 2, 2005||Feb 23, 2006||Vulcan Inc.||Maintaining a graphical user interface state that is based on a selected time|
|US20060085741 *||Oct 20, 2004||Apr 20, 2006||Viewfour, Inc. A Delaware Corporation||Method and apparatus to view multiple web pages simultaneously from network based search|
|US20060101514||Nov 1, 2005||May 11, 2006||Scott Milener||Method and apparatus for look-ahead security scanning|
|US20060129603||Aug 24, 2005||Jun 15, 2006||Jae Woo Park||Apparatus and method for detecting malicious code embedded in office document|
|US20070011739 *||Jun 28, 2005||Jan 11, 2007||Shay Zamir||Method for increasing the security level of a user machine browsing web pages|
|1||Cross Site Scripting (XSS): "The Complete Documentation" [Online] XP002506390, 2008.|
|3||Notification of Transmittal of The International Search Report And the Written Opinion of The International Searching authority, Or The Declaration (PCT/US2007/068703.|
|4||Ollmann, G.: "HTML Code Injection and effect of CSS (XSS) Vulnerabilities"Internet Publication, [Online] 2003 http://www.technicalinfo.net/papers/CSS.html-retrieved on Dec. 2, 2008.|
|5||Ollmann, G.: "HTML Code Injection and effect of CSS (XSS) Vulnerabilities"Internet Publication, [Online] 2003 http://www.technicalinfo.net/papers/CSS.html—retrieved on Dec. 2, 2008.|
|6||Search Sites Tied To Viruses, Spyware May 12, 2006, The Wall Street Journal-Online; p. 1-2 http://online.wsj.com/article-print/SB114739560986950892.html.|
|7||Search Sites Tied To Viruses, Spyware May 12, 2006, The Wall Street Journal—Online; p. 1-2 http://online.wsj.com/article—print/SB114739560986950892.html.|
|8||Supplementary European Search Report (EP 07 78 3611) dated Dec. 2, 2008.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8474048 *||Jul 16, 2009||Jun 25, 2013||F-Secure Oyj||Website content regulation|
|US8677481 *||Sep 30, 2008||Mar 18, 2014||Trend Micro Incorporated||Verification of web page integrity|
|US9356941 *||Aug 16, 2010||May 31, 2016||Symantec Corporation||Systems and methods for detecting suspicious web pages|
|US9398032 *||Jul 9, 2009||Jul 19, 2016||Trend Micro Incorporated||Apparatus and methods for detecting malicious scripts in web pages|
|US20100017880 *||Jul 16, 2009||Jan 21, 2010||F-Secure Oyj||Website content regulation|
|US20100211861 *||Feb 8, 2008||Aug 19, 2010||Ntt Docomo, Inc.||Content distribution management device, communication terminal, program, and content distribution system|
|US20110072262 *||Sep 23, 2009||Mar 24, 2011||Idan Amir||System and Method for Identifying Security Breach Attempts of a Website|
|U.S. Classification||707/722, 707/706, 707/709, 726/22|
|Cooperative Classification||G06F17/30991, G06F17/30864|
|European Classification||G06F17/30Z2V, G06F17/30W1|
|Jun 16, 2006||AS||Assignment|
Owner name: YAHOO! INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SEITZ, EDWARD F.;REEL/FRAME:017800/0492
Effective date: 20060616
|Oct 22, 2014||FPAY||Fee payment|
Year of fee payment: 4
|Apr 18, 2016||AS||Assignment|
Owner name: EXCALIBUR IP, LLC, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:YAHOO! INC.;REEL/FRAME:038383/0466
Effective date: 20160418
|Jun 1, 2016||AS||Assignment|
Owner name: YAHOO! INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EXCALIBUR IP, LLC;REEL/FRAME:038951/0295
Effective date: 20160531
|Jun 3, 2016||AS||Assignment|
Owner name: EXCALIBUR IP, LLC, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:YAHOO! INC.;REEL/FRAME:038950/0592
Effective date: 20160531